Lawsuit alleging Gmail ads are “wiretapping” gets judge’s OK

Non-Gmail users never agreed to have their e-mail scanned, lawyers say.

It's widely understood that the ads Google puts in Gmail are based on the content of e-mails. The millions of Gmail users presumably accept the company's promise that "no humans read your e-mail."

Despite that, a lawsuit claiming that Google's practice violates pre-Internet anti-wiretapping laws will be going forward. Lawyers representing non-Gmail users of various stripes in a class-action lawsuit say their clients never agreed to have their e-mails intercepted and scanned by Google. They argue that Google's "interception" of those e-mails violates federal anti-wiretapping laws and state privacy laws. And today, US District Judge Lucy Koh agreed with them, refusing to grant Google's motion to dismiss the case.

Even an e-mail sender who read the company's privacy policies "would not have necessarily understood that her e-mails were being intercepted to create user profiles or to provide targeted advertisements," stated the judge. The plaintiffs in this case haven't consented implicitly or explicitly to have their e-mails scanned, and so the lawsuit can move forward, she ruled.

Some of the plaintiffs do use Google mail, but they're not free Gmail users, who would have agreed to Google's ad-scanning terms when they signed up. Rather, they're users of non-ad-based e-mail, including some of Google's own paid services, like Google Apps for Education. Those users of non-Gmail services didn't agree to get their e-mails scanned by the service, their lawyers argued.

The proposed classes of plaintiffs—and there are several—are potentially huge. One includes "all US citizen non-Gmail users who have sent a message to a Gmail user and received a reply or received an e-mail from a Gmail user."

No, really, they’re all cool with it

In its defense, Google said that those users gave "implied consent" to Gmail's business practices when they chose to e-mail Gmail users. "Google's theory is that all e-mail users understand and accept the fact that e-mail is automatically processed," not just for advertising but for things like spam filtering, which is vital to running a modern e-mail service. In its motion to dismiss, Google described this class action lawsuit as an attempt to "criminalize ordinary business practices" that were nearly a decade old.

Koh didn't buy it. Google's theory that non-Gmail users had offered "implied consent" when they shot off an e-mail to a Gmail user would "eviscerate the rule against interception," she wrote.

Even for users who may have read some company policies, Koh found that Google's disclosures were lacking. They suggest that Google ads "were based on information 'stored on the services' or 'queries made through the Services'—not information in transit via e-mail," she wrote. Google also doesn't disclose that it uses e-mails to build "user profiles," not only to serve up the immediate advertisements.

Google did succeed in getting certain state law claims thrown out of the lawsuit, including claims under Pennsylvania law and some California state law claims.

The search giant hasn't lost this lawsuit—there's a long way to go. The plaintiffs have a lot of work ahead of them, including getting their case accepted as a class action. The fact that Google wasn't able to knock the case out on a motion to dismiss does increase the chances of a settlement, but it seems likely Google will fight tooth-and-nail on an issue like this. The company is already fighting hard against an adverse ruling that anti-wiretapping laws apply to its Wi-Fi data collection screwup. It suffered that ruling at an appeals court earlier this month and has asked for it to be reconsidered.

One user of an academic email system powered by Google told Ars he agreed with at least some of the sentiment of the lawsuit, in that Google hadn't fully disclosed how it was using emails it distributed.

"Here at Berkeley, I repeatedly asked both lawyers and engineers whether our gMail-powered email system, bMail, would profile students," said UC Berkeley law prof Chris Hoofnagle in an email to Ars. "They said there would be no ads, but would not make a writing about other data mining of bMail content. We certainly did not consent to all of this, and in retrospect, I feel (as a relatively sophisticated player in this field) misled by the Google people."

249 Reader Comments

I can sympathise with both sides; one of the biggest problems with e-mail it's that pretty much all of it is sent as plaintext. A few savvy users might use S/MIME or PGP encryption, but that only works if the recipient is setup to receive it. As a result, most e-mail is plainly available to every server involved in the process.

This is both a good and bad thing; while advertising isn't the best use of these open e-mails, there's also the more useful applications such as spam-filtering at the service provider level, which allows you to avoid receiving spam, phishing attempts etc. in the first place. But by the same logic as this suit does that mean that spam-filtering is also in violation of wire-tapping laws?

Of course, the end user is the one for whom the advertising is paying for the "free" service, but anyone else is sending the e-mail under the reasonable assumption that only the recipient is going to read it. But at the same time, once you've sent the e-mail it's not really up to you; that end user could forward that e-mail to all their friends, delete it without reading it etc., so is allowing it to be filtered for advertising any worse?

I'd probably argue that google's processing should only occur on e-mails that a person actually opens; i.e - so it isn't happening en-route to the recipient, this also means that Google only processes e-mails the user indicated a genuine interest in, which is probably better for their metrics anyway. Not sure if that's what it does now, or if it just processes everything (except spam hopefully)?

Only allowing Google's processing to take place on emails that are opened would eliminate virus and spam filtering.

For goodness sakes.... THERE IS NO FREE LUNCH... Google makes money by pushing ads on you, pure and simple. They do not exist to 'do no evil', the exist to prolong their existance via a revenue stream. So if you don't like that, go PAY for an email program. Quit your whining about getting something for free and then having to live by the TOS. Sheesh...

You do not seem to get the point, which is that the sender did not use gmail. I pay my provider to send, receive and store my email.

BTW, to the people that say that it's "just an algorithm" that scans it: imagine the algorithm getting smarter and smarter. Imagine it gets to a point where it could be considered intelligent at human level. Would it then still be ok? If not, the line has to be drawn somewhere, and remember: there is no working definition of intelligence at this moment.

BTW, to the people that say that it's "just an algorithm" that scans it: imagine the algorithm getting smarter and smarter. Imagine it gets to a point where it could be considered intelligent at human level. Would it then still be ok?

With regards to profiling. Google is the company that automatically linked a Google+ account for dead author Truman Capote to a NYTimes article of another author, and in the end we'll just chalk it up to algorithmic error of their automated services? These wide ranging blanket clauses to do what they please with information is a slippery slope if left unchecked. Google may very well prevail in the email case, but anything that makes them put a little more forethought in their practices because these blanket clauses aren't enough to fend legal challenge is IMO good for us all.

For goodness sakes.... THERE IS NO FREE LUNCH... Google makes money by pushing ads on you, pure and simple. They do not exist to 'do no evil', the exist to prolong their existance via a revenue stream. So if you don't like that, go PAY for an email program. Quit your whining about getting something for free and then having to live by the TOS. Sheesh...

You do not seem to get the point, which is that the sender did not use gmail. I pay my provider to send, receive and store my email.

BTW, to the people that say that it's "just an algorithm" that scans it: imagine the algorithm getting smarter and smarter. Imagine it gets to a point where it could be considered intelligent at human level. Would it then still be ok? If not, the line has to be drawn somewhere, and remember: there is no working definition of intelligence at this moment.

The sender DID use gmail. When you consciously insert the gmail address "mygirlfriend@gmail.com" in the "TO:" field and the click "send" you are requesting google services to receive your email, hence you are using their service to carry, process and deliver that email to the recipient .

If I send a letter to Joe down the street and he has given permission to a company to read all of his mail so the junk mail he gets is more targeted do I have the right to sue? Isn't the act of emailing someone giving them the email and thus it is then theirs to do with however the like? Email isn't analogous to you writing something on a piece of paper and showing it to a friend so they can read it then taking the paper back and you're not giving them the paper with the expectation that its still yours and they will give it back either. I apply content to a medium and give it to another individual with no expectation of continued ownership or its return.

Once you send the e-mail, you give up right to privacy. It's no different from any other form of communication. If you send someone a letter, that letter can be legally published or shared with others, if the recipient chooses to do so. If you leave someone a voicemail, or call someone and they choose to record you secretly (which they can do, since one of the parties is aware of the recording), they can choose to publish or share those recordings. In this case, the recipient agreed to share the contents of their email with Google when they signed up for the service.

The sender DID use gmail. When you consciously insert the gmail address "mygirlfriend@gmail.com" in the "TO:" field and the click "send" you are requesting google services to receive your email, hence you are using their service to carry, process and deliver that email to the recipient .

First, in no normal meaning of the word did the sender use gmail in that case. When you send me a letter, are you using my house because you've put my address on the envelope? When you call me, do you use my phone? When you call me by my name, or tell someone to deliver me a message, are you using me? No, no, and no. The receiver is using gmail to receive and store the email for later perusal.

Second, if you stretch the meaning of the word "to use" up to include all this, then still the sender did not agree to any TOS (something which Google will not deny; that would be plain stupid).

And if using a service, and the Internet is a service, allows the owner to do anything with the content, then you've given the NSA the only argument it will ever need.

This really makes no sense - every corporate email system on the planet would also violate wiretap laws as well. Along with any email system that does any type of heuristics spam detection, as the messages need to be parsed in order to be scanned. Then you add in compliance filters and apparently almost every email server on the planet violates wire tapping laws.

You can not have compliance filters if you do not scan the emails, you can not have reliable spam protection if you are not actually looking at the content of the message.

Heck many email systems including gmail even check to see if you are attaching an executable, and obviously run a virus scan on the attachments as well...

Google loosing this case is a big deal for any email provider, in the past it was always thought of (at least in my mind) as soon as your email leaves your server it is up for grabs, and when you send it to another email server their rules (known or unknown apply).

And for the comment about the postal server opening up a piece of mail to check it out - the post master general can open ANY letter for inspection without prior notice to the sender or recipient.

If they are done without the creator's consent, and then used to target advertisements and fed to any government agency that asks politely? Yes.

Your argument is a non-sequitur. The OP raised a valid question. Between the two implied opinions, it may be that the intent of interception matters...although everything sent via packet-based protocol is by definition "intercepted". Definitely an interesting case.

So why are you complaining that Gmail shouldn't advertise to you? Or is the trouble that they are advertising more directly to you? See, as long as they aren't using annoying multimedia ads, then they haven't been causing me any trouble.

People are complaining because Gmail is wiretapping their emails by doing more analysis on it than is necessary to accurately deliver it.

It sort of depends on if the scanning is done inline prior to delivery, isn't it? If it is analyzed post delivery or in parallel then the email belongs to the recipient.

I send my wife flowers, they are hers. If she has an agreement with the security guard at the front desk saying he can smell them all he wants and can take one home to his wife, what is the legal standard?

Your argument is a straw man since there are strong laws covering privacy of mail (and I guess email) but those laws do not exist for flowers.

Not really understanding why people keep bringing up spam filtering since no personal data is retained from that process? Just like no data is retained during transmission... well, unless certain metadata is matched that is.

Something like S/MIME encryption should be the default, so you actually have to know someone's public key in order to mail them.

The problem there is that we'd be unable to contact anyone we didn't know personally IRL first, as the only way to get their key would be for them to post it in public. This would be a huge roadblock for things like the growing number of wiki projects that require prospective editors register by sending an email to the admin.

That's not true. There are plenty of widespread web of trust mechanisms that allow people to publish their keys or certificates for exactly these purposes. And any kind of web project is going to be the easiest scenario for that. Certificate linked on web page -> grab -> validate that it matches up with your web of trust -> mail them.

Something like S/MIME encryption should be the default, so you actually have to know someone's public key in order to mail them.

The problem there is that we'd be unable to contact anyone we didn't know personally IRL first, as the only way to get their key would be for them to post it in public. This would be a huge roadblock for things like the growing number of wiki projects that require prospective editors register by sending an email to the admin.

That's not true. There are plenty of widespread web of trust mechanisms that allow people to publish their keys or certificates for exactly these purposes. And any kind of web project is going to be the easiest scenario for that. Certificate linked on web page -> grab -> validate that it matches up with your web of trust -> mail them.

The first thing I do when trying to contact someone I don't know personally is look on pool.sks-keyservers.net, or their website if they have one.

So why are you complaining that Gmail shouldn't advertise to you? Or is the trouble that they are advertising more directly to you? See, as long as they aren't using annoying multimedia ads, then they haven't been causing me any trouble.

People are complaining because Gmail is wiretapping their emails by doing more analysis on it than is necessary to accurately deliver it.

It sort of depends on if the scanning is done inline prior to delivery, isn't it? If it is analyzed post delivery or in parallel then the email belongs to the recipient.

I send my wife flowers, they are hers. If she has an agreement with the security guard at the front desk saying he can smell them all he wants and can take one home to his wife, what is the legal standard?

Your argument is a straw man since there are strong laws covering privacy of mail (and I guess email) but those laws do not exist for flowers.

Not really understanding why people keep bringing up spam filtering since no personal data is retained from that process? Just like no data is retained during transmission... well, unless certain metadata is matched that is.

When you do heuristics based SPAM filters you better believe personal information is retained - though its most likely anonymized, but in some cases its not because the sender is often important in these situations.

Then you get into compliance filters... This gets even messier with these as in many times even the own employees don't even know whats being flagged and archived in the compliance filters... These are for internal and external messages...

Re: S/MIME et al. - IIRC, Google says that the moment when your mail is scanned and ads are chosen is when you open it in the webmail interface. Assuming GMail's web interface learns to wrap/unwrap messages in S/MIME, you're not changing anything here, though you're adding security in transit.

Any kind of end to end encryption needs to actually be implemented at the endpoints. So our hypothetical GMail for S/MIME would have to be implemented in the browser, not on Google's server. If it decrypted the message in the browser and then sent the contents for processing on the server, this would be a clear breach of trust.

Not really understanding why people keep bringing up spam filtering since no personal data is retained from that process? Just like no data is retained during transmission... well, unless certain metadata is matched that is.

Judge Koh doesn't talk about "personal data" she talks about making a "user profile" and spam filters and other mail service do make user profiles

No, that is not how bayesian filter work, they are collected and actioned based on the content

The only link between a spam/virus filtering algorithm and Googles data mining is that they both examine content. I am not concerned that a filtering algorithm inspects the contents of my messages - the worst that could happen is a block. But I'm greatly concerned that a marketing firm is data-mining my private communication.

My data is private. If it had no value, Google wouldn't be trawling through it. Privacy matters. Respecting privacy matters. If companies like Google, Facebook, BT, et al can't be socially responsible and ethical with private communication of their own accord, we need new laws to rein them in.

Doesn't Facebook do this to any website that has their icon on it? Why is it always Google getting hammered for doing things that everyone else seems to be doing?

'Cos while facebook has like icons plastered all over the web the only change you see is inside the walled garden that is facebook. Google on the other hand uses their information to target adverts across the web.

No, that is not how bayesian filter work, they are collected and actioned based on the content

The only link between a spam/virus filtering algorithm and Googles data mining is that they both examine content. I am not concerned that a filtering algorithm inspects the contents of my messages - the worst that could happen is a block. But I'm greatly concerned that a marketing firm is data-mining my private communication.

You have to re read Judge Koh ruling, it seem that you have missed the relevant information

I don’t use Gmail, in part because of the privacy implications. It bothers me that Google builds a detailed profile of me based on the messages I send to their users.

But this lawsuit goes too far. If service providers can’t scan your mail, then server-side spam filtering becomes impossible, as does using server rules to filter messages.

A lawsuit should target the part that bothers the plaintiffs:

* the building of detailed profiles of non-Gmail users* use of those profiles to sell advertising* providing those profiles to government agencies* the possibility that Google employees may view or exploit profiles (they assure us it won’t happen, but we know of at least one case where it did)

No, all modern effective spam filters work by learning, over time, the composition of spam vs non-spam email

If anti-spam/virus software is doing anything other than filtering spam and viruses, they will land up in court alongside Google. The difference is obvious. All electronic communication systems 'look' at our data, but it only works when they live up to our trust that they do no more than is essential for delivery. It's like saying I shouldn't be worried that Google apps might data-mine my documents because my standalone desktop word-processor also learns from monitoring my spelling corrections.

Do you think Google is pouring vast amounts of money into these systems out of charity or an outpouring of community spirit? This data is valuable, but taking it without permission is wrong.

I know it's highly impractical to selectively scan emails in order to comply to a ruling were Google to lose a lawsuit like this one. However, I kinda agree with the Judge's reasoning here. It'll be interesting to see how this proceeds.

thought it was just non gmail emails that they should not be scanning.that seems "easy" enough.

I know it's highly impractical to selectively scan emails in order to comply to a ruling were Google to lose a lawsuit like this one. However, I kinda agree with the Judge's reasoning here. It'll be interesting to see how this proceeds.

thought it was just non gmail emails that they should not be scanning.that seems "easy" enough.

If you send an email to a Gmail server, I'm pretty sure there's implied consent there that the server can read and process the contents of that email.

I can understand an argument being mounted about the privacy implications of Google's automatic profile-generation. But does that really constitute wiretapping, when the data was specifically transmitted to Google's mail servers in the first place? It seems a stretch to me.

How about Occam's Razor? There's an opportunity to make money by doing so, is there any reason to think they wouldn't do so?

It'd be terribly bad press for them to do so, and there's little evidence this process would actually significantly improve advert targetting beyond the keyword system they use now. Even *if* google was doing this, no one has seemed to identify a case of an advert targetted based on sender-email profile info, or a mechanism whereby an advertiser can pay google money to target based on sender-email.

Occam's razor would seem to me to require extra-ordinary evidence that google is doing is. All the patent info means is that they've recognised the possibility.

I mean, there's an opportunity for google to make money by stripping gmails for credit card account details, but I don't think people seriously think google does that.

It seems that the point most of you who are screaming, "Google bad, profiling me" is that YOU the SENDER are irrelevant. When you hit send, the email no longer belongs to you. It doesn't matter if you've agreed to Google's ToS or not. It doesn't matter if you use Google or not. It doesn't matter if you didn't know jdoe@somedomain.com's email was being handled by Google. The email you sent to a Gmail user is owned by that person, not you, and that person agreed to have his or her email scanned, chopped and fricasseed.

Most of the analogies, and "what if" scenarios some of you are posting trying to prove your point that Google is doing something illegal are null and void by the one simple fact above.

Really? Are you using a patent filing as proof that Google makes profiles of non Gmail users that has sent emails to Gmail users?

The patent, filed shortly before Gmail’s introduction by the lead developer of Gmail, along with the designer of the AdSense profiling and Gmail spam filtering algorithms, describes explicitly how a service like Gmail would build such profiles.

But I suppose it’s almost impossible to “prove”, except anecdotally. I know that doesn’t meet the official Internet Comment Section Proof Standards.

I don't like the idea that Google can build up a personal profile based on my emails to other people even when I myself don't use any Google services.

Who are you? No, really. Who are you? That's what Google's computers say when they see the emails you send a Gmail user. You don't use their services so they have less than zero context for who you are. At best they know that Gmail user800e5774-4d1d -4933-8a1e-bbd1becf096a talks about 'x', 'y' and 'z' topics with someone I don't know.

This irrational idea that these companies know who we, you or I am without us telling them who we are is silly. Sure, if you ever did sign up and give them a way to associate you with an email address that had passed through their servers they might have gleaned a teeny, tiny, little bit about 'you' but if you're not going to be a Google user you have nothing to fear regarding them knowing anything about you. They can't because they have no way of knowing who you are unless you have them that information.

Or you use that email address on a forum that they sell advertising on, or just happen to crawl. Or your name happens to be in an e-mail with enough information for them to piece together a rough location for you. Or your friend adds you to their gmail contacts along with name address and phone number. I'm sure you can now start thinking of more ways that they could get that information.

Except they still don't know who you are. At most you're a Globally Unique ID in their system somewhere (realistically if you're not using their services you're several disconnected GUIDs) with some characteristics. If you were to being using Google's services and tell them who you are then they could find that group of characteristics (collected via the mechanisms you outlined) and associate them to you. Otherwise "you're" just a number with no context or identification.

It's similar to going to a store with a loyalty program and accepting the loyalty rate without signing up for a card. They have some information that "person_x" accepted a loyalty rate but without a card. Only once you sign up for a card can they take your purchases and track what you're purchasing with the context of "who" you are (I use quotes here because they still may not know that LoyaltyProgramParticipant12345 is John Q Doe from Anywhere USA but they are able to persist information about LoyaltyProgramParticipant12345 and always add transactions to the same individual).